From 9a8fa5d64fa5ab35dcd9dbced48eee00a0d614cc Mon Sep 17 00:00:00 2001 From: Jeffrey Altman Date: Sat, 16 Feb 2013 20:22:27 -0500 Subject: [PATCH] Windows: ReleaseNotes reformatting Oxygen 14.2 automatically reformatted the text. Change-Id: I387627948f449c96ed3ab112371752f4673b24d9 Reviewed-on: http://gerrit.openafs.org/9212 Tested-by: BuildBot Reviewed-by: Jeffrey Altman --- doc/xml/ReleaseNotesWindows/relnotes.xml | 123 +++++++++-------------- 1 file changed, 49 insertions(+), 74 deletions(-) diff --git a/doc/xml/ReleaseNotesWindows/relnotes.xml b/doc/xml/ReleaseNotesWindows/relnotes.xml index d3cce3523..f43921113 100644 --- a/doc/xml/ReleaseNotesWindows/relnotes.xml +++ b/doc/xml/ReleaseNotesWindows/relnotes.xml @@ -1,6 +1,5 @@ - ]> @@ -47,8 +46,7 @@ \\AFS UNC server name. OpenAFS is the product of an open source development effort begun on 1 November 2000. OpenAFS is maintained and developed by a group of volunteers with the support of the end user - community. When OpenAFS is used as part of your computing infrastructure, please contribute to its continued growth. + community. When OpenAFS is used as part of your computing infrastructure, please contribute to its continued growth. Installer Options @@ -149,8 +147,7 @@ disk space required Up to 60mb required for the OpenAFS binaries plus 100MB for the default - AFSCache file. The size of the AFSCache file may be adjusted via the Registry after + AFSCache file. The size of the AFSCache file may be adjusted via the Registry after installation. The maximum cache size for 32-bit Windows is approximately 1.2GB. On 64-bit Windows there is no enforced limit on the cache size. @@ -217,8 +214,7 @@ The OpenAFS distribution ships with its own implementation of Kerberos v4 and although it is Kerberos v5 capable, it relies on third-party Kerberos v5 libraries. The OpenAFS 1.4 - series (and later) integrates with Heimdal or MIT Kerberos for + series (and later) integrates with Heimdal or MIT Kerberos for Windows 2.6.5 and above. OpenAFS Kerberos v5 capable functionality includes integrated logon, the AFS Authentication Tool, the Network Identity Manager AFS provider, and the aklog command. These tools provide support for Kerberos v5 authentication including @@ -227,13 +223,11 @@ network identity manager - The recommended versions of Heimdal and MIT Kerberos for + The recommended versions of Heimdal and MIT Kerberos for Windows are distributed by Secure Endpoints Inc.. As of this writing, the Secure Endpoints Inc. distribution provides 64-bit Windows support which is unavailable from MIT. KFW 3.2.2 includes Network - Identity Manager 1.3.1 which integrates with the AFS Provider installed as part of + Identity Manager 1.3.1 which integrates with the AFS Provider installed as part of OpenAFS for Windows. The most recent version of Network Identity Manager is version 2.1 which is available as an independent upgrade to MIT Kerberos for Windows. Heimdal does not include a version of Network Identity Manager. @@ -262,8 +256,7 @@ There are two things to consider when using an Active Directory as the Kerberos realm that issues the AFS service ticket. First, the Kerberos v5 tickets issued by Active Directory can be quite large when compared to tickets issued by traditional - UNIX KDCs due to the inclusion of Windows specific authorization data (the + UNIX KDCs due to the inclusion of Windows specific authorization data (the Microsoft PAC). If the issued tickets are larger than 344 bytes, OpenAFS 1.2.x servers will be unable to process them and will issue a RXKADBADTICKET error. OpenAFS 1.4 (and beyond) servers can support the largest tickets that Active @@ -276,8 +269,7 @@ the resulting Kerberos v5 tokens. Windows 2000 Active Directory issues tickets with the DES-CBC-CRC enctype. Windows Server 2008 R2 Active Directory domain by default disables use of DES-CBC-MD5 and it must be enabled. - Microsoft has documented in Knowledge Base article 832572 a new NO_AUTH_REQUIRED flag that can be set + Microsoft has documented in Knowledge Base article 832572 a new NO_AUTH_REQUIRED flag that can be set on the account mapped to the AFS service principal. When this flag is set, the PAC authorization data will not be included in the ticket. Setting this flag is recommended for all accounts that are associated with non-Windows services and that @@ -289,8 +281,7 @@ Starting with Windows 7 and Windows Server 2008 R2, Microsoft has disabled the - single DES encryption types,TechNet: + single DES encryption types,TechNet: Changes in Kerberos Authentication. DES must be enabled via Group Policy in order for Active Directory to be used as a KDC for OpenAFS. Enable weak encryption becuase of AFS... Start > Administrative Tools > Group Policy @@ -331,17 +322,14 @@ network identity manager As of release 1.5.9, OpenAFS for Windows includes a Network Identity Manager Provider - for obtaining AFS tokens. This plug-in is a contribution from Secure Endpoints Inc. Network Identity - Manager is a multiple identity credential management tool that ships with MIT Kerberos for Windows version 3.0 and - above. The OpenAFS plug-in requires Heimdal or MIT Kerberos for + for obtaining AFS tokens. This plug-in is a contribution from Secure Endpoints Inc. Network Identity + Manager is a multiple identity credential management tool that ships with MIT Kerberos for Windows version 3.0 and + above. The OpenAFS plug-in requires Heimdal or MIT Kerberos for Windows version 3.1 or above. - + @@ -349,7 +337,7 @@ - + @@ -357,7 +345,7 @@ - + @@ -519,18 +507,15 @@ servers. Integrated Logon is required if roaming user profiles are stored within the AFS file system. OpenAFS does not provide tools for synchronizing the Windows and Kerberos user - accounts and passwords. Integrated Logon can be enabled or disabled via the LogonOptions registry value. + accounts and passwords. Integrated Logon can be enabled or disabled via the LogonOptions registry value. When Heimdal or KFW is installed, Integrated Logon will use it to obtain tokens using Kerberos v5. If you must use the deprecated kaserver for - authentication instead of Kerberos v5, the use of KFW can be disabled via the EnableKFW registry value. + authentication instead of Kerberos v5, the use of KFW can be disabled via the EnableKFW registry value. Integrated Logon will not transfer Kerberos v5 tickets into the user's logon session credential cache. This is no longer possible on Vista and Windows 7. Integrated Logon does not have the ability to cache the username and password for the purpose of obtaining tokens if the Kerberos KDC is inaccessible at logon time. Integrated Logon supports the ability to obtain tokens for multiple cells. For further - information on how to configure this feature, read about the TheseCells registry value. + information on how to configure this feature, read about the TheseCells registry value. Depending on the configuration of the local machine, it is possible for logon authentication to complete with one of the following user account types: @@ -1178,7 +1163,7 @@ OpenAFS for Windows implements an SMB server which is used as a gateway to the AFS filesystem. Because of limitations of the SMB implementation in pre-1.5.50 releases, Windows stored all files into AFS using OEM code pages such as CP437 (United States) or CP850 (Western Europe). These code pages are incompatible with the ISO Latin-1 or Unicode (UTF-8) character sets typically used as the default on UNIX systems in both the United States and Western Europe. Filenames stored by OpenAFS for Windows were therefore unreadable on UNIX systems if they include any of the following characters: - + @@ -1512,8 +1497,7 @@ Windows Vista, Windows 7, and Server 2008 [R2] implement User Account Control (UAC), a new security feature that implements least user privilege. With UAC, applications only run with the minimum required privileges. Even Administrator accounts run applications without the "Administrator" access control credentials. One side effect of this is that existing applications that mix user and system configuration capabilities must be re-written to separate those functions that require "Administrator" privileges into a separate process space. Future updates to OpenAFS will incorporate the necessary privilege separation, until that time some functions such as the Start and Stop Service features of the AFS Authentication Tool and the AFS Control Panel will not work unless they are "Run as Administrator". When a Vista user account that is a member of the "Administrators" group is used to access the AFS Control Panel (afs_config.exe), the process must be "Run as Administrator". Otherwise, attempts to modify the OpenAFS configuration will appear to succeed but in reality will have failed due to Vista's system file and registry virtualization feature. - The help files provided with OpenAFS are in .HLP format. Windows Vista, Windows 7, and Server 2008 + The help files provided with OpenAFS are in .HLP format. Windows Vista, Windows 7, and Server 2008 [R2] do not include a help engine for this format. The following items only apply when the OpenAFS Service is manually configured as an SMB Gateway. @@ -2035,8 +2019,7 @@ network paths are inaccessible when Protected Mode is on. TraceOption If you are having trouble with the Integrated Logon operations it is often useful to be - able to obtain a log of what it is attempting to do. Setting the Debug registry value: + able to obtain a log of what it is attempting to do. Setting the Debug registry value: [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider] REG_DWORD Debug = 0x01 will instruct the Integrated Logon Network Provider and Event Handlers to log information to the Windows Event Log: Application under the name "AFS Logon". @@ -2188,7 +2171,7 @@ network paths are inaccessible when Protected Mode is on. - + @@ -2255,9 +2238,7 @@ network paths are inaccessible when Protected Mode is on. openafs-info - If you wish to participate in OpenAFS for Windows development, please join the openafs-win32-devel@openafs.org mailing list. + If you wish to participate in OpenAFS for Windows development, please join the openafs-win32-devel@openafs.org mailing list. https://lists.openafs.org/mailman/listinfo/openafs-win32-devel @@ -2364,7 +2345,7 @@ network paths are inaccessible when Protected Mode is on. 7.2.1.2 OpenAFS for Windows Properties - + @@ -2398,7 +2379,7 @@ network paths are inaccessible when Protected Mode is on. These properties are used to set the values of registry entries associated with OpenAFS for Windows. - + @@ -2586,7 +2567,7 @@ network paths are inaccessible when Protected Mode is on. These properties are combined to add a command line option to the shortcut that will be created in the Start:Programs:OpenAFS and Start:Programs:Startup folders (see CREDSSTARTUP). The method of specifying the option was chosen for easy integration with the Windows Installer user interface. Although other methods can be used to specify options to AFSCREDS.EXE, it is advised that they be avoided as transforms including such options may not apply to future releases of OpenAFS. - + @@ -2692,8 +2673,8 @@ network paths are inaccessible when Protected Mode is on. Enter the following : - - + + @@ -2732,7 +2713,7 @@ network paths are inaccessible when Protected Mode is on. Condition - + @@ -2762,8 +2743,8 @@ network paths are inaccessible when Protected Mode is on. Add a new row (Ctrl-R or 'Tables'->'Add Row') with the following values: - - + + @@ -2786,7 +2767,7 @@ network paths are inaccessible when Protected Mode is on. Title - + @@ -2794,7 +2775,7 @@ network paths are inaccessible when Protected Mode is on. Description - + @@ -2818,7 +2799,7 @@ network paths are inaccessible when Protected Mode is on. Directory_ - + @@ -2848,8 +2829,8 @@ network paths are inaccessible when Protected Mode is on. Add a new row with the following values: - - + + @@ -2883,8 +2864,8 @@ network paths are inaccessible when Protected Mode is on. Add a new row with the following values: - - + + @@ -2953,8 +2934,8 @@ network paths are inaccessible when Protected Mode is on. Add a row with the following values : - - + + @@ -3000,7 +2981,7 @@ network paths are inaccessible when Protected Mode is on. We create a new feature and component to hold the new registry keys. - + @@ -3133,7 +3114,7 @@ network paths are inaccessible when Protected Mode is on. We create a new feature and component to hold the new registry keys. - + @@ -3466,11 +3447,9 @@ Variable: cm_mountRoot AFSCache Regkey: [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters] - Type: REG_SZ or REG_EXPAND_SZ - - -Default: "%TEMP%\AFSCache" - + Type: Use REG_SZ if the path contains no expansion variables or REG_EXPAND_SZ if it + does. + Default: "%TEMP%\AFSCache" (REG_EXPAND_SZ) Variable: cm_CachePath Location of on-disk cache file. The default is the SYSTEM account's TEMP directory. The attributes assigned to the file are HIDDEN and SYSTEM. @@ -4916,8 +4895,7 @@ NSIS: %WINDIR%\SYSTEM32\afslogon.dll LogonOptions - [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain] + [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain] [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\<domain name>] [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\<domain @@ -5018,8 +4996,7 @@ NSIS: %WINDIR%\SYSTEM32\afslogon.dll Realm - [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain] + [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain] [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\<domain name>] [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\<domain @@ -5037,8 +5014,7 @@ NSIS: %WINDIR%\SYSTEM32\afslogon.dll TheseCells - [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain] + [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain] [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\<domain name>] [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\<domain @@ -5055,8 +5031,7 @@ NSIS: %WINDIR%\SYSTEM32\afslogon.dll Username - [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\<domain + [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\<domain name>\<user name>] [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\LOCALHOST\<user name>] Type: REG_SZ -- 2.39.5